Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fontforge for openSUSE:Factory checked in at 2026-01-30 18:19:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fontforge (Old) and /work/SRC/openSUSE:Factory/.fontforge.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fontforge" Fri Jan 30 18:19:44 2026 rev:65 rq:1329834 version:20251009 Changes: -------- --- /work/SRC/openSUSE:Factory/fontforge/fontforge.changes 2026-01-27 16:05:39.381304594 +0100 +++ /work/SRC/openSUSE:Factory/.fontforge.new.1995/fontforge.changes 2026-01-30 18:20:35.521268342 +0100 @@ -1,0 +2,71 @@ +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-fix-multiple-crashes-in-Multiple-Masters.patch: + Backport dfe5c803 from upstream, Fix multiple crashes in Multiple + Masters. + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch: + Backport 0df57ac0 from upstream, fix crash for content over 32767 + characters in GDraw multiline text field. + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-CVE-2025-15279-part02_720ea950.patch: + Backport 720ea950 from upstream, Move bounds check inside + cnt >= 3 block. + (CVE-2025-15279, ZDI-CAN-27517, bsc#1256013) + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-CVE-2025-15269.patch: + Backport 6aea6db5 from upstream, Use-after-free in SFD ligature + parsing. + (CVE-2025-15269, ZDI-25-1195, ZDI-CAN-28564, bsc#1256032) + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-CVE-2025-15275.patch: + Backport 71954027 from upstream, Fix heap buffer overflow in SFD + image parsing. + (CVE-2025-15275 ZDI-25-1189 ZDI-CAN-28543 bsc#1256025) + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-CVE-2025-15279-part01_7d67700c.patch: + Backport 7d67700c from upstream, Fix heap buffer overflow in BMP + RLE decompression. + (CVE-2025-15279, ZDI-CAN-27517, bsc#1256013) + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch: + Backport aca4f524 from upstream, Metrics view: Fix crash on Up/Down + keypress while in the feature list. + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-fix-crash-in-Metrics-View.patch + Backport 46dc37435 from upstream, Fix crash in Metrics View. + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-fix-UFO-crash-for-empty-contours.patch + Backport 77b1b148 from upstream, Fix UFO crash for empty contours. + +------------------------------------------------------------------- +Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-fix-crash-issue-in-allmarkglyphs.patch: + Backport 9d793fe9 from upstream, fix crash issue in allmarkglyphs. + +------------------------------------------------------------------- New: ---- fontforge-CVE-2025-15269.patch fontforge-CVE-2025-15275.patch fontforge-CVE-2025-15279-part01_7d67700c.patch fontforge-CVE-2025-15279-part02_720ea950.patch fontforge-fix-UFO-crash-for-empty-contours.patch fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch fontforge-fix-crash-in-Metrics-View.patch fontforge-fix-crash-issue-in-allmarkglyphs.patch fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch fontforge-fix-multiple-crashes-in-Multiple-Masters.patch ----------(New B)---------- New: - Add fontforge-CVE-2025-15269.patch: Backport 6aea6db5 from upstream, Use-after-free in SFD ligature New: - Add fontforge-CVE-2025-15275.patch: Backport 71954027 from upstream, Fix heap buffer overflow in SFD New: - Add fontforge-CVE-2025-15279-part01_7d67700c.patch: Backport 7d67700c from upstream, Fix heap buffer overflow in BMP New: - Add fontforge-CVE-2025-15279-part02_720ea950.patch: Backport 720ea950 from upstream, Move bounds check inside New: - Add fontforge-fix-UFO-crash-for-empty-contours.patch Backport 77b1b148 from upstream, Fix UFO crash for empty contours. New: - Add fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch: Backport 0df57ac0 from upstream, fix crash for content over 32767 New: - Add fontforge-fix-crash-in-Metrics-View.patch Backport 46dc37435 from upstream, Fix crash in Metrics View. New: - Add fontforge-fix-crash-issue-in-allmarkglyphs.patch: Backport 9d793fe9 from upstream, fix crash issue in allmarkglyphs. New: - Add fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch: Backport aca4f524 from upstream, Metrics view: Fix crash on Up/Down New: - Add fontforge-fix-multiple-crashes-in-Multiple-Masters.patch: Backport dfe5c803 from upstream, Fix multiple crashes in Multiple ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fontforge.spec ++++++ --- /var/tmp/diff_new_pack.a6GBHI/_old 2026-01-30 18:20:38.701401033 +0100 +++ /var/tmp/diff_new_pack.a6GBHI/_new 2026-01-30 18:20:38.713401534 +0100 @@ -23,8 +23,30 @@ License: GPL-3.0-or-later URL: https://fontforge.org/ Source0: https://github.com/fontforge/fontforge/releases/download/%{version}/fontforge-%{version}.tar.xz +# PATCH-FIX-OPENSUSE fontforge-version.patch [email protected] -- fontforge --version now returns fontforge release version. Patch0: fontforge-version.patch +# PATCH-FIX-OPENSUSE add-bitmap-transform-support.patch boo#1169444 [email protected] -- support transforming bitmap glyphs from python with one of the predefined transformations. Patch1: add-bitmap-transform-support.patch +# PATCH-FIX-UPSTREAM fontforge-fix-crash-issue-in-allmarkglyphs.patch [email protected] -- Fix crash issue in allmarkglyphs (#5668). +Patch2: fontforge-fix-crash-issue-in-allmarkglyphs.patch +# PATCH-FIX-UPSTREAM fontforge-fix-UFO-crash-for-empty-contours.patch [email protected] -- Fix UFO crash for empty contours (#5645). +Patch3: fontforge-fix-UFO-crash-for-empty-contours.patch +# PATCH-FIX-UPSTREAM fontforge-fix-crash-in-Metrics-View.patch [email protected] -- Fix crash in Metrics View (#5647). +Patch4: fontforge-fix-crash-in-Metrics-View.patch +# PATCH-FIX-UPSTREAM fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch [email protected] -- Metrics view: Fix crash on Up/Down keypress while in the feature list (#5683). +Patch5: fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch +# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15279-part01_7d67700c.patch CVE-2025-15279 ZDI-CAN-27517 bsc#1256013 [email protected] -- Fix CVE-2025-15279: Heap buffer overflow in BMP RLE decompression (#5720) +Patch6: fontforge-CVE-2025-15279-part01_7d67700c.patch +# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15275.patch CVE-2025-15275 ZDI-25-1189 ZDI-CAN-28543 bsc#1256025 [email protected] -- Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing (#5721). +Patch7: fontforge-CVE-2025-15275.patch +# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15269.patch CVE-2025-15269 ZDI-25-1195 ZDI-CAN-28564 bsc#1256032 [email protected] -- Fix CVE-2025-15269: Use-after-free in SFD ligature parsing (#5722). +Patch8: fontforge-CVE-2025-15269.patch +# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15279-part02_720ea950.patch CVE-2025-15279 ZDI-CAN-27517 bsc#1256013 [email protected] -- Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block (#5723). +Patch9: fontforge-CVE-2025-15279-part02_720ea950.patch +# PATCH-FIX-UPSTREAM fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch [email protected] -- Fix crash for content over 32767 characters in GDraw multiline text field (#5728). +Patch10: fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch +# PATCH-FIX-UPSTREAM fontforge-fix-multiple-crashes-in-Multiple-Masters.patch [email protected] -- Fix multiple crashes in Multiple Masters (#5733). +Patch11: fontforge-fix-multiple-crashes-in-Multiple-Masters.patch BuildRequires: cairo-devel BuildRequires: cmake BuildRequires: fdupes ++++++ fontforge-CVE-2025-15269.patch ++++++ >From 6aea6db5da332d8ac94e3501bb83c1b21f52074d Mon Sep 17 00:00:00 2001 From: Ahmet Furkan Kavraz <[email protected]> Date: Sat, 10 Jan 2026 20:06:53 +0100 Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing (#5722) Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing the next pointer after shallow copy. The shallow copy propagates liga's modified next pointer from previous iterations, creating a cycle that causes double-free when the list is traversed and freed. Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564 Co-authored-by: Ahmet Furkan Kavraz <[email protected]> --- fontforge/sfd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fontforge/sfd.c b/fontforge/sfd.c index 0590c119f..a349d0b2f 100644 --- a/fontforge/sfd.c +++ b/fontforge/sfd.c @@ -4715,6 +4715,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) { while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) { new = chunkalloc(sizeof( PST1 )); *new = *liga; + new->pst.next = NULL; new->pst.u.lig.components = copy(pt+1); last->pst.next = (PST *) new; last = new; -- 2.49.0 ++++++ fontforge-CVE-2025-15275.patch ++++++ >From 7195402701ace7783753ef9424153eff48c9af44 Mon Sep 17 00:00:00 2001 From: Ahmet Furkan Kavraz <[email protected]> Date: Fri, 9 Jan 2026 16:58:23 +0100 Subject: [PATCH] Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing (#5721) Fixes: CVE-2025-15275 | ZDI-25-1189 | ZDI-CAN-28543 Co-authored-by: Ahmet Furkan Kavraz <[email protected]> --- fontforge/sfd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fontforge/sfd.c b/fontforge/sfd.c index 6b980a478..0590c119f 100644 --- a/fontforge/sfd.c +++ b/fontforge/sfd.c @@ -3653,6 +3653,10 @@ static ImageList *SFDGetImage(FILE *sfd) { getint(sfd,&image_type); getint(sfd,&bpl); getint(sfd,&clutlen); + if ( clutlen < 0 || clutlen > 256 ) { + LogError(_("Invalid clut length %d in sfd file, must be between 0 and 256"), clutlen); + return NULL; + } gethex(sfd,&trans); image = GImageCreate(image_type,width,height); base = image->list_len==0?image->u.image:image->u.images[0]; -- 2.49.0 ++++++ fontforge-CVE-2025-15279-part01_7d67700c.patch ++++++ >From 7d67700cf8888e0bb37b453ad54ed932c8587073 Mon Sep 17 00:00:00 2001 From: Ahmet Furkan Kavraz <[email protected]> Date: Thu, 8 Jan 2026 15:47:43 +0100 Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE decompression (#5720) CVSS: 7.8 (High) ZDI-CAN-27517 Co-authored-by: Ahmet Furkan Kavraz <[email protected]> --- gutils/gimagereadbmp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c index 5a137e28a..133336787 100644 --- a/gutils/gimagereadbmp.c +++ b/gutils/gimagereadbmp.c @@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) { int ii = 0; while ( ii<head->height*head->width ) { int cnt = getc(file); + if (cnt < 0 || ii + cnt > head->height * head->width) { + return 0; + } if ( cnt!=0 ) { int ch = getc(file); while ( --cnt>=0 ) head->byte_pixels[ii++] = ch; } else { cnt = getc(file); + if (cnt < 0 || ii + cnt > head->height * head->width) { + return 0; + } if ( cnt>= 3 ) { int odd = cnt&1; while ( --cnt>=0 ) -- 2.49.0 ++++++ fontforge-CVE-2025-15279-part02_720ea950.patch ++++++ >From 720ea95020c964202928afd2e93b0f5fac11027e Mon Sep 17 00:00:00 2001 From: Ahmet Furkan Kavraz <[email protected]> Date: Mon, 12 Jan 2026 22:45:16 +0100 Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block (#5723) Co-authored-by: Ahmet Furkan Kavraz <[email protected]> --- gutils/gimagereadbmp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c index 133336787..ad365158c 100644 --- a/gutils/gimagereadbmp.c +++ b/gutils/gimagereadbmp.c @@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) { head->byte_pixels[ii++] = ch; } else { cnt = getc(file); - if (cnt < 0 || ii + cnt > head->height * head->width) { - return 0; - } if ( cnt>= 3 ) { + if (ii + cnt > head->height * head->width) { + return 0; + } int odd = cnt&1; while ( --cnt>=0 ) head->byte_pixels[ii++] = getc(file); -- 2.49.0 ++++++ fontforge-fix-UFO-crash-for-empty-contours.patch ++++++ >From 77b1b1486077c3a216b00d64d54fc861cad309b1 Mon Sep 17 00:00:00 2001 From: Maxim Iorsh <[email protected]> Date: Tue, 4 Nov 2025 23:46:52 +0200 Subject: [PATCH] Fix UFO crash for empty contours (#5645) --- fontforge/ufo.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fontforge/ufo.c b/fontforge/ufo.c index 56643d0f1..e9d988854 100644 --- a/fontforge/ufo.c +++ b/fontforge/ufo.c @@ -2722,6 +2722,10 @@ static SplineChar *_UFOLoadGlyph(SplineFont *sf, xmlDocPtr doc, char *glifname, for ( points=contour->children; points!=NULL; points=points->next ) if ( xmlStrcmp(points->name,(const xmlChar *) "point")==0 ) break; + if (points == NULL) { + // The UFO3 specification allows empty contours, we just drop them. + continue; + } for ( npoints=points->next; npoints!=NULL; npoints=npoints->next ) if ( xmlStrcmp(npoints->name,(const xmlChar *) "point")==0 ) break; -- 2.49.0 ++++++ fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch ++++++ >From 0df57ac0d44fbe668f33a57593f94ba6c987a440 Mon Sep 17 00:00:00 2001 From: Maxim Iorsh <[email protected]> Date: Tue, 13 Jan 2026 19:10:56 +0200 Subject: [PATCH] Fix crash for content over 32767 characters in GDraw multiline text field (#5728) --- gdraw/ggadgetP.h | 12 ++++++------ gdraw/gtextfield.c | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/gdraw/ggadgetP.h b/gdraw/ggadgetP.h index 85b67ea06..b2115fc90 100644 --- a/gdraw/ggadgetP.h +++ b/gdraw/ggadgetP.h @@ -314,19 +314,19 @@ typedef struct gtextfield { uint8_t fh; uint8_t as; uint8_t nw; /* Width of one character (an "n") */ - int16_t xoff_left, loff_top; - int16_t sel_start, sel_end, sel_base; - int16_t sel_oldstart, sel_oldend, sel_oldbase; - int16_t dd_cursor_pos; + int32_t xoff_left, loff_top; + int32_t sel_start, sel_end, sel_base; + int32_t sel_oldstart, sel_oldend, sel_oldbase; + int32_t dd_cursor_pos; unichar_t *text, *oldtext; FontInstance *font; GTimer *pressed; GTimer *cursor; GCursor old_cursor; GScrollBar *hsb, *vsb; - int16_t lcnt, lmax; + int32_t lcnt, lmax; int32_t *lines; /* offsets in text to the start of the nth line */ - int16_t xmax; + int32_t xmax; GIC *gic; GTimer *numeric_scroll; char *utf8_text; /* For Pango */ diff --git a/gdraw/gtextfield.c b/gdraw/gtextfield.c index 19b16274c..f56a9d6a6 100644 --- a/gdraw/gtextfield.c +++ b/gdraw/gtextfield.c @@ -633,7 +633,7 @@ static int GTextFieldSelForeword(unichar_t *text,int end) { return( end ); } -static void GTextFieldSelectWord(GTextField *gt,int mid, int16_t *start, int16_t *end) { +static void GTextFieldSelectWord(GTextField *gt,int mid, int32_t *start, int32_t *end) { unichar_t *text; unichar_t ch = gt->text[mid]; @@ -664,7 +664,7 @@ static void GTextFieldSelectWord(GTextField *gt,int mid, int16_t *start, int16_t } static void GTextFieldSelectWords(GTextField *gt,int last) { - int16_t ss, se; + int32_t ss, se; GTextFieldSelectWord(gt,gt->sel_base,>->sel_start,>->sel_end); if ( last!=gt->sel_base ) { GTextFieldSelectWord(gt,last,&ss,&se); @@ -2185,7 +2185,7 @@ static void gtextfield_redraw(GGadget *g) { static void gtextfield_move(GGadget *g, int32_t x, int32_t y ) { GTextField *gt = (GTextField *) g; - int fxo=0, fyo=0, bxo, byo; + int fxo=0, fyo=0, bxo=0, byo=0; if ( gt->listfield || gt->numericfield ) { fxo = ((GListField *) gt)->fieldrect.x - g->r.x; @@ -2209,7 +2209,7 @@ static void gtextfield_move(GGadget *g, int32_t x, int32_t y ) { static void gtextfield_resize(GGadget *g, int32_t width, int32_t height ) { GTextField *gt = (GTextField *) g; int gtwidth=width, gtheight=height, oldheight=0; - int fxo=0, fwo=0, fyo=0, bxo, byo; + int fxo=0, fwo=0, fyo=0, bxo=0, byo=0; int l; if ( gt->listfield || gt->numericfield ) { -- 2.49.0 ++++++ fontforge-fix-crash-in-Metrics-View.patch ++++++ >From 46dc37435bc5b3daaf160f494cd36677d2bb8cb3 Mon Sep 17 00:00:00 2001 From: Maxim Iorsh <[email protected]> Date: Thu, 6 Nov 2025 22:54:52 +0200 Subject: [PATCH] Fix crash in Metrics View (#5647) --- fontforge/tottf.c | 4 ++-- fontforge/ufo.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fontforge/tottf.c b/fontforge/tottf.c index 1b686c0b1..dddd5d6a6 100644 --- a/fontforge/tottf.c +++ b/fontforge/tottf.c @@ -6174,7 +6174,7 @@ int _WriteTTFFont(FILE *ttf,SplineFont *sf,enum fontformat format, fake_mappings = calloc(sf->glyphcnt,sizeof(bool)); for (i = 0; i < sf->glyphcnt; ++i) { - if (sf->glyphs[i]->unicodeenc == -1) { + if (sf->glyphs[i] && sf->glyphs[i]->unicodeenc == -1) { sf->glyphs[i]->unicodeenc = fake_unicode_base + sf->glyphs[i]->orig_pos; fake_mappings[i] = true; } @@ -6222,7 +6222,7 @@ int _WriteTTFFont(FILE *ttf,SplineFont *sf,enum fontformat format, // Remove temporarily assigned fake Private Area unicode point from all unmapped glyphs if (flags & ttf_flag_fake_map) { for (i = 0; i < sf->glyphcnt; ++i) { - if (fake_mappings[i]) + if (sf->glyphs[i] && fake_mappings[i]) sf->glyphs[i]->unicodeenc = -1; } free(fake_mappings); diff --git a/fontforge/ufo.c b/fontforge/ufo.c index e9d988854..d68633359 100644 --- a/fontforge/ufo.c +++ b/fontforge/ufo.c @@ -1050,7 +1050,7 @@ void clear_cached_ufo_paths(SplineFont * sf) { // First we clear the glif names. for (i = 0; i < sf->glyphcnt; i++) { struct splinechar * sc = sf->glyphs[i]; - if (sc->glif_name != NULL) { free(sc->glif_name); sc->glif_name = NULL; } + if (sc && sc->glif_name != NULL) { free(sc->glif_name); sc->glif_name = NULL; } } // Then we clear the layer names. for (i = 0; i < sf->layer_cnt; i++) { -- 2.49.0 ++++++ fontforge-fix-crash-issue-in-allmarkglyphs.patch ++++++ >From 9d793fe90ea0c5356e3fb00fa31d0737e1c952fc Mon Sep 17 00:00:00 2001 From: MihailJP <[email protected]> Date: Tue, 4 Nov 2025 02:29:32 +0900 Subject: [PATCH] Fix crash issue in allmarkglyphs (#5668) --- fontforge/tottfgpos.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/fontforge/tottfgpos.c b/fontforge/tottfgpos.c index 73d4e01c3..895ba87b0 100644 --- a/fontforge/tottfgpos.c +++ b/fontforge/tottfgpos.c @@ -1821,24 +1821,24 @@ static SplineChar **allmarkglyphs(SplineChar ***glyphlist, int classcnt) { int i, tot, k; if ( classcnt==1 ) -return( SFOrderedGlyphs(glyphlist[0])); + return( SFOrderedGlyphs(glyphlist[0])); for ( i=tot=0; i<classcnt; ++i ) { - for ( k=0; glyphlist[i][k]!=NULL; ++k ); - tot += k; + for ( k=0; glyphlist[i]!=NULL && glyphlist[i][k]!=NULL; ++k ); + tot += k; } glyphs = malloc((tot+1)*sizeof(SplineChar *)); for ( i=tot=0; i<classcnt; ++i ) { - for ( k=0; glyphlist[i][k]!=NULL; ++k ) - glyphs[tot++] = glyphlist[i][k]; + for ( k=0; glyphlist[i]!=NULL && glyphlist[i][k]!=NULL; ++k ) + glyphs[tot++] = glyphlist[i][k]; } qsort(glyphs,tot,sizeof(SplineChar *),orderglyph); for ( i=k=0; i<tot; ++i ) { - while ( i+1<tot && glyphs[i]==glyphs[i+1]) ++i; - glyphs[k++] = glyphs[i]; + while ( i+1<tot && glyphs[i]==glyphs[i+1]) ++i; + glyphs[k++] = glyphs[i]; } glyphs[k] = NULL; -return( glyphs ); + return( glyphs ); } static void dumpgposAnchorData(FILE *gpos,AnchorClass *_ac, -- 2.49.0 ++++++ fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch ++++++ >From aca4f524c6cb14cdc7bc4cd493492a33f5154797 Mon Sep 17 00:00:00 2001 From: Phil Krylov <[email protected]> Date: Mon, 17 Nov 2025 19:55:43 +0100 Subject: [PATCH] Metrics view: Fix crash on Up/Down keypress while in the feature list (#5683) --- fontforgeexe/metricsview.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fontforgeexe/metricsview.c b/fontforgeexe/metricsview.c index 8284673e4..c6d38f410 100644 --- a/fontforgeexe/metricsview.c +++ b/fontforgeexe/metricsview.c @@ -4327,8 +4327,12 @@ static void MVChar(MetricsView *mv,GEvent *event) // should always move up/down in the list of kerning words. if( active != mv->text ) { + const unichar_t *title = _GGadgetGetTitle(active); + if (!title) + return; + unichar_t *end; - double val = u_strtod(_GGadgetGetTitle(active),&end); + double val = u_strtod(title,&end); if (isValidInt(end)) { int dir = ( event->u.chr.keysym == GK_Up || event->u.chr.keysym==GK_KP_Up ) ? 1 : -1; if( event->u.chr.state&ksm_control && event->u.chr.state&ksm_shift ) { -- 2.49.0 ++++++ fontforge-fix-multiple-crashes-in-Multiple-Masters.patch ++++++ >From dfe5c8035d716e99ebd0fdb1c49ea623d94737a7 Mon Sep 17 00:00:00 2001 From: Maxim Iorsh <[email protected]> Date: Mon, 19 Jan 2026 22:45:20 +0200 Subject: [PATCH] Fix multiple crashes in Multiple Masters (#5733) * Fix corruption in SFMakeChar() for MM fonts * Crash when opening MM font with kerning * Fix crash for missing MM Mac name --- Unicode/memory.c | 7 +++++++ Unicode/ustring.c | 2 +- fontforge/encoding.c | 40 ++++++++++++++++++++++++++-------------- fontforge/sfd.c | 4 +++- fontforgeexe/mmdlg.c | 6 +++--- inc/basics.h | 2 ++ 6 files changed, 42 insertions(+), 19 deletions(-) diff --git a/Unicode/memory.c b/Unicode/memory.c index 774b138fd..1613f7730 100644 --- a/Unicode/memory.c +++ b/Unicode/memory.c @@ -39,6 +39,13 @@ void NoMoreMemMessage(void) { fprintf(stderr, "Out of memory\n" ); } +void ExpandBuffer(void** p_buf, size_t elem_size, size_t increment, + int* p_maxalloc) { + *p_buf = realloc(*p_buf, (*p_maxalloc + increment) * elem_size); + memset((char*)*p_buf + (*p_maxalloc) * elem_size, 0, increment * elem_size); + *p_maxalloc += increment; +} + char *copy(const char *str) { return str ? strdup(str) : NULL; } diff --git a/Unicode/ustring.c b/Unicode/ustring.c index b0fe3387e..893eeedf2 100644 --- a/Unicode/ustring.c +++ b/Unicode/ustring.c @@ -535,7 +535,7 @@ unichar_t *utf82u_strncpy(unichar_t *ubuf,const char *utf8buf,int len) { } unichar_t *utf82u_strcpy(unichar_t *ubuf,const char *utf8buf) { -return( utf82u_strncpy(ubuf,utf8buf,strlen(utf8buf)+1)); +return( utf82u_strncpy(ubuf,utf8buf,c_strlen(utf8buf)+1)); } unichar_t *utf82u_copyn(const char *utf8buf,int len) { diff --git a/fontforge/encoding.c b/fontforge/encoding.c index 194ecd035..6eb9c6dc7 100644 --- a/fontforge/encoding.c +++ b/fontforge/encoding.c @@ -1233,7 +1233,7 @@ enum cmaptype { cmt_out=-1, cmt_coderange, cmt_notdefs, cmt_cid, cmt_max }; struct coderange { uint32_t first, last, cid; }; struct cmap { struct { - int n; + size_t n; struct coderange *ranges; } groups[cmt_max]; char *registry; @@ -1253,7 +1253,7 @@ static void cmapfree(struct cmap *cmap) { free(cmap); } -static struct coderange *ExtendArray(struct coderange *ranges,int *n, int val) { +static struct coderange *ExtendArray(struct coderange *ranges, size_t *n, int val) { if ( *n == 0 ) ranges = calloc(val,sizeof(struct coderange)); else { @@ -1280,7 +1280,8 @@ static struct cmap *ParseCMap(char *filename) { FILE *file; struct cmap *cmap; char *end, *pt; - int val, pos; + int val; + size_t pos; enum cmaptype in; int in_is_single; // We set this if we are to parse cidchars into cidranges. static const char *bcsr = "begincodespacerange", *bndr = "beginnotdefrange", *bcr = "begincidrange", *bcc = "begincidchar"; @@ -2363,21 +2364,32 @@ return( any ); } void SFAddGlyphAndEncode(SplineFont *sf,SplineChar *sc,EncMap *basemap, int baseenc) { - int gid, mapfound = false; + int j, gid, mapfound = false; FontViewBase *fv; BDFFont *bdf; if ( sf->cidmaster==NULL ) { - if ( sf->glyphcnt+1>=sf->glyphmax ) - sf->glyphs = realloc(sf->glyphs,(sf->glyphmax+=10)*sizeof(SplineChar *)); - gid = sf->glyphcnt++; - for ( bdf = sf->bitmaps; bdf!=NULL; bdf=bdf->next ) { - if ( sf->glyphcnt+1>=bdf->glyphmax ) - bdf->glyphs = realloc(bdf->glyphs,(bdf->glyphmax=sf->glyphmax)*sizeof(BDFChar *)); - if ( sf->glyphcnt>bdf->glyphcnt ) { - memset(bdf->glyphs+bdf->glyphcnt,0,(sf->glyphcnt-bdf->glyphcnt)*sizeof(BDFChar *)); - bdf->glyphcnt = sf->glyphcnt; - } + if (sf->glyphcnt + 1 > sf->glyphmax) + ExpandBuffer((void**)&sf->glyphs, sizeof(SplineChar*), 10, + &sf->glyphmax); + gid = sf->glyphcnt++; + for (bdf = sf->bitmaps; bdf != NULL; bdf = bdf->next) { + if (sf->glyphcnt + 1 > bdf->glyphmax) + ExpandBuffer((void**)&bdf->glyphs, sizeof(BDFChar*), + sf->glyphmax - bdf->glyphmax, &bdf->glyphmax); + } + if (sf->mm != NULL) { + if (sf->mm->normal->glyphmax < sf->glyphmax) + ExpandBuffer((void**)&sf->mm->normal->glyphs, + sizeof(SplineChar*), + sf->glyphmax - sf->mm->normal->glyphmax, + &sf->mm->normal->glyphmax); + for (j = 0; j < sf->mm->instance_count; ++j) + if (sf->mm->instances[j]->glyphmax < sf->glyphmax) + ExpandBuffer((void**)&sf->mm->instances[j]->glyphs, + sizeof(SplineChar*), + sf->glyphmax - sf->mm->instances[j]->glyphmax, + &sf->mm->instances[j]->glyphmax); } for ( fv=sf->fv; fv!=NULL; fv = fv->nextsame ) { EncMap *map = fv->map; diff --git a/fontforge/sfd.c b/fontforge/sfd.c index a349d0b2f..f3c84080d 100644 --- a/fontforge/sfd.c +++ b/fontforge/sfd.c @@ -9014,7 +9014,9 @@ exit( 1 ); } } } - if ( sf->cidmaster==NULL ) + + /* MM font has already been already fixed up. */ + if (sf->cidmaster == NULL && sf->mm == NULL) SFDFixupRefs(sf); if ( !haddupenc ) diff --git a/fontforgeexe/mmdlg.c b/fontforgeexe/mmdlg.c index 1baf9ffda..540afdd1c 100644 --- a/fontforgeexe/mmdlg.c +++ b/fontforgeexe/mmdlg.c @@ -1632,7 +1632,7 @@ return( NULL ); pt[-1] = ']'; ustyle = PickNameFromMacName(mmw->old->named_instances[i].names); ti[i].bg = ti[i].fg = COLOR_DEFAULT; - ti[i].text = malloc((strlen(buffer)+3+strlen(ustyle))*sizeof(unichar_t)); + ti[i].text = calloc(strlen(buffer)+3+c_strlen(ustyle), sizeof(unichar_t)); utf82u_strcpy(ti[i].text,ustyle); uc_strcat(ti[i].text," "); uc_strcat(ti[i].text,buffer); @@ -1762,9 +1762,9 @@ static void MMW_ParseNamedStyles(MMSet *setto,MMW *mmw) { static void MMW_DoOK(MMW *mmw) { real weights[AppleMmMax+1]; - real fbt; + real fbt = 0.; int err = false; - char *familyname, *fn, *origname=NULL; + char *familyname, *fn=NULL, *origname=NULL; int i,j; MMSet *setto, *dlgmm; FontView *fv = NULL; diff --git a/inc/basics.h b/inc/basics.h index 86f0db712..9204285d5 100644 --- a/inc/basics.h +++ b/inc/basics.h @@ -73,6 +73,8 @@ typedef uint32_t unichar_t; #endif extern void NoMoreMemMessage(void); +extern void ExpandBuffer(void** p_buf, size_t elem_size, size_t increment, + int* p_maxalloc); static inline int imin(int a, int b) { -- 2.49.0
